Comment 38 for bug 26650
Revision history for this message
|
|
#38 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0f7b58d
(Get the code!)
Martin Pitt <email address hidden> wrote:
> Hi Florian, hi Frank!
>
> Frank Küster [2005-12-08 22:55 +0100]:
>> Florian Weimer <email address hidden> wrote:
>> > By the way, the gmallocn function suffers from undefined integer
>> > overflow, too:
>> >
>> > void *gmallocn(int nObjs, int objSize) {
>> > int n;
>> >
>> > n = nObjs * objSize;
>> > if (objSize == 0 || n / objSize != nObjs) {
>> > fprintf(stderr, "Bogus memory allocation size\n");
>> > exit(1);
>> > }
>> > return gmalloc(n);
>> > }
>>
>> What's the problem here? That the value in "n" is undefined, and
>> therefore the comparison n / objSize != nObjs is undefined, too?
>
> n is not 'undefined' here. For every given nObjs and objSize input, it
> always gets the same well-defined value.
>
> We can assume that objSize is a small positive number, since it is not
> user defined (just a sizeof value). The function works correctly for
> positive number of nObjs (both valid and invalid),
But what if nObjs * objSize is larger than fits into an int?
Regards, Frank
--
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer